Threat Intelligence sharing: What kind of intelligence to share?
With the rapid pace of digitalisation, the expanding attack surfaces and the ever-growing number of vulnerabilities and attack techniques leaves fewer and fewer organisations capable of defending themselves and sensitive data in their care. Many recent and painfully successful cyber attacks raised again the issue of sharing threat intelligence in an attempt to thwart the attacks. Government and business hope that timely sharing of threat intelligence will offer a proactive way to defend against cyber attacks.
What is intelligence?
Intelligence refers to process of gathering, analysing and interpreting tactical information in order to make decisions. Therefore, to be defined as intelligence, the information must be combined, analysed, interpreted and disseminated. In constrast, raw information can be gathered from any kind of sources and it may be misleading, inacurrate, unrelated and unreliable. “
What is threat intelligence?
Threat intelligence is evidence-based knowledge, including contexts, mechanisms, indicators, implications and actionable advices, about existing cyber attacks or emerging cyber threats that can be used to understand the threats that have, will, or are currently targeting an organisation. The primary purpose of threat intelligence is helping organisations to perceive the risks of the foremost common and severe external threats, like zero-day threats, advanced persistent threats and exploits, and thus allowing them to make inform decisions regarding the response to those threats. Going beyond IP addresses, hashes, and other threat data, threat intelligence provides critical context around a threat activity, including indicators of compromise (IoC), indicators of attack (IoA), the tactics employed, and, potentially, the motivation and identity of the adversary. Threat intelligence can help analysing risks, allocating resources, and understanding threats relevant to one’s own organisation, industry and geography. This information may include:
- Mechanisms of an attack
- How to identify that an attack is happening
- Ways different types of attacks might affect the organisation
- Action-oriented advice about how to defend against attacks
From this perspective, one source of threat intelligence is the organisation’s internal networks and systems. Another is the vast amount of information that exists outside, such as information collected by honeypots, spam traps, web crawlers specialised for identifying malware and monitoring hacking forums.
What is vulnerability?
A vulnerability is a weakness or defect in a software or hardware component that adversaries exploit to compromise a resource. The weakness or defect is in the requirements, designs, or implementations of the code found in a software or hardware component of a system. This weakness is directly exploited to negatively impact the confidentiality, integrity, or availability of that system. The process of discovering, reporting, and fixing vulnerabilities is called vulnerability management. A vulnerability, to which fix is not yet available, is called a zero-day vulnerability. “
How does threat intelligence get started?
Vulnerability databases consolidate information on disclosed vulnerabilities and also score their exploitability. One of the very first forms of threat intelligence was NIST’s National Vulnerability Database (NVD). It centralised information on disclosed vulnerabilities to help make it easier for organisations to see if they were likely to be affected. NIST stands for National Institute of Standards and Technology, U.S. Department of Commerce.
How does threat intelligence get produced?
Raw data is not information, and information is not the same thing as intelligence. Threat data today is largely neither machine consumable nor widely shared. It takes time for analysts to translate the indicators to machine format. Errors can be introduced during the translation process. Gathered raw data about existing or emerging threat actors and threats from several sources, is analysed, filtered, and correlated to produce threat intelligence feeds and management reports.
As the attack surface grows, so does the abundance of security threats and incidents. To respond to them quickly and comprehensively, security operations and incident response teams need to prioritise their efforts to maximise risk reduction. Threat intelligence helps to prioritse vulnerabilities based on true risk to the organisation:
- Enrich IoCs with real-time threat intelligence to reduce false positives and accelerate investigations
- Use risk lists and risk scores to prioritise urgent incidents and actions
- Monitor and alert on risks related to the organisation's domains, IP ranges, and other cyber assets
In the past few years, threat intelligence has started to mature from a marketplace and security user perspective in terms of how to best gather, organise, identify and share sources of threat intelligence.
What are the types of threat intelligence?
Threat intelligence is produced by collecting and analysing information about emerging or existing threat actors and threats from various sources. There are different types of threat intelligence, from high-level, non-technical information to technical details about specific threats. We can distinguish four main categories of threat intelligence:
- Strategic threat intelligence – The big picture of past, current and future trends in the threat landscape
Strategic threat intelligence is a high-level analysis typically reserved for non-technical audiences such as stakeholders or board members In that sense, it usually covers topics like security scores and the potential impacts of a business decision. Good strategic threat intelligence should provide insight into areas like risks associated with certain lines of action, broad patterns in threat actor tactics and targets, and geopolitical events and trends. Strategic threat intelligence tends to be the hardest form of intelligence to generate. It requires human collection and analysis that demands an intimate understanding of both cybersecurity and the nuances of the world's geopolitical situation.
- Tactical threat intelligence – Techniques, tools, and tactics of the threat actors
Tactical threat intelligence focuses on the immediate future and helps security teams to determine whether existing security programmes will be successful in detecting and mitigating certain risks. Tactical threat intelligence is the easiest type of intelligence to generate and is almost always automated. As a result, it can be found via open source and free threat intelligence feeds, but it usually has a very short lifespan because IoCs such as malicious IPs or domain names can become obsolete in days or even hours.
- Operational threat intelligence – Specifics about the nature and purpose of threats and actors
Operational threat intelligence aims to answer the questions – "who?", "what?", "and how?", and is gained by examining the details of past known attacks that have been identified through tactical intelligence It is most useful for security operation centres (SOCs) that are responsible for day-to-day security operations. Cybersecurity fields such as vulnerability management, incident response and threat monitoring are the biggest consumers of operational threat intelligence as it helps make them more efficient at their assigned functions.
- Technical threat intelligence – Technical indicators about the malware and campaigns (from shared threat intelligence feeds)
Technical threat intelligence focuses on specific technical indicators relating to threat actors' tools and infrastructure. The most common sources of technical threat intelligence are threat intelligence feeds provided by vendors and communities that share intelligence. Since technical threat intelligence is available in huge quantities and has a short usable lifespan, to maximise its value, technical indicators should be fed automatically into security solutions such as firewalls and content filters. Technical threat intelligence should not be relied on in isolation. A powerful threat intelligence programme must cover all four intelligence categories.
Why threat intelligence sharing is important?
Given threat actors are likely to act and behave in similar ways, it is increasing important that organisations share threat intelligence, and use the community’s experience to improve their security posture. Threat intelligence sharing allows timely implementation of adequate security measures. Organisations are better able to anticipate attacker strategies, identify malicious activity, and block attacks with detailed and contextualised threat intelligence.
- Collaboration and reciprocal relationships. Threat intelligence sharing can provide for increase collaboration fostering reciprocal relationships and trust.
- Context and perspective. Different people have different points of view. Threat intelligence sharing can provide interesting and varied findings from people within the community and industy with broad contexts.
- Bias elimination. Everyone is susceptible to bias, which can lead to over-confidence or over-optimism while making assessments. Threat intelligence sharing can help to discover the blind spots.
By exchanging threat intelligence within a sharing community, organisations can leverage the collective knowledge, experience, and capability of the community to gain a more complete understanding of the threats. Threat intelligence sharing is therefore a critical tool for the security community. It takes the know-hows of one single organisation and share it across the industry to strengthen security practices of all.
Concerns around sharing threat intelligence
Although threat intelligence is undoubtedly valuable, there are concerns preventing organisations from sharing, for example:
- Privacy and liability concerns: These can be overcome through a more accurate understanding of sharing intelligence, protective clauses in legal agreements, recent legislation, or care in what is being shared. In addition, scrubbing data for private information or sensitive corporate information before sharing is always a good idea regardless of the type of sharing involved.
- “Nothing valuable to contribute”: No organisation sees every attack or vulnerability. Sharing even the seemingly insignificant details can help getting more intelligence.
- “Too much noise”: The fear of contributing too much trivial data that could overwhelm the whole community with false positives and intelligence gaps, can be reduced by increasing the expertise of the security team.
- “Has been hacked”: The fear of sharing breach details more broadly than necessary can be remedied by establishing clear written procedures and following best practices while sharing.
Bad Intel lives forever!
However, threat intelligence sharing does have some disadvantages:
- Trusting other organisations
- their analysis capabilities
- making good decision, e.g., not submitting malware to open-source repos
- Possible intelligence gaps
- Tools simply cannot keep up with the volume
- Knowledge is power, sharing could quickly de-value the shared threat intelligence, –lifespan of OSINT vs. commercial vs. internal discovery
“Sharing is caring!” and threat intelligence sharing is critical, but it must be handled with utmost care. The sharing of threat intelligence should help security teams defend against attack and not hurt teams by overwhelming them with false positives and intelligence gaps.
Consider this incident happened earlier this year as The New York Times reports:
Last month, in the days before Microsoft released an emergency patch for vulnerable Exchange Servers, multiple state-backed Chinese groups were apparently tipped off that the company was testing a patch. They began gorging on vulnerable systems with a speed and aggression that some security experts said they had never seen before.
It is unclear how exactly these Chinese groups learned of Microsoft’s patch, but the timing suggests they caught wind of the moves when Microsoft rolled out a test version of its patch to its security partners at cybersecurity firms in late February. Eighty companies participate in a longstanding partnership with Microsoft, known as the Microsoft Active Protections Program, including 10 Chinese firms. Microsoft confidentially alerts these companies to emerging cyberthreats and vulnerabilities ahead of its official patch cycle. The company is investigating whether one of its partners may have leaked to Chinese hackers or was itself hacked.
Therefore, for threat intelligence sharing to work, all the involved organisations need:
- to trust each other, and
- to have effective processes to collect, exchange timely, and act quickly on the acquired intelligence.
They also need to ensure that any shared threat intelligence is meaningful to the community and the best course of action to take. The threat intelligence feeds, and management reports should be able to be used by automated security control solutions.
Actionable Threat Intelligence and Rapid Automated Processing
Actionable intelligence is the best way to be proactive instead of being reactive. Developing and sharing truly actionable threat intelligence requires tremendous efforts of a trained security teams on the part of the organisation developing that intelligence, as well as on the part of the organisations consuming it. While many organisations are actively collecting as much data as they can from various sources, including their own, much of the processing, correlating, analysing, and transforming it into threat intelligence are still done manually. This makes it difficult to respond to a threat quickly or to share timely actionable intelligence. Ideally, the consumption, processing, analysing, and correlating of threat intelligence should be carried automatically by a threat intelligence platform and the platform is an integrated part of the organisation’s security tool chain. Automation ensures that time-sensitive threat intelligence immediately reaches all stakeholders, so it can be acted on and be shared in time.
What threat intelligence should and could be shared?
As mentioned above, only actionable threat intelligence should be shared. Actionable threat intelligence is:
- Technical indicators, – technical artifacts or observables that suggest an attack is imminent or is currently underway or that a compromise may have already occurred, for example
- name of a malware and its hash values
- IP addresses used in prior attacks
- Tactic, Techniques and Procedures, – the TTPs threat actors use to exploit systems:
- Tactic: using malware to steal credit card information
- Technique: sending an email embedded with keystroke logging malware to capture credit card data
- Procedure: registering a domain to create legitimate-looking email accounts that might circumvent antivirus protections and spam blockers
The following information is not threat intelligence and does not need to be shared
- Personally, Identifiable Information (PII), – names, credit card data and other sensitive information
- Trade secrets, – sensitive internal corporate information is often the target of cyber-attacks, not the data shared to prevent the steal
Threat intelligence standards
Sharing is one of the most exciting aspects of threat intelligence, as organisations recognise that collaboration is crucial, and standards emerge to make it easier and faster to share information. Threat intelligence today is largely neither machine consumable nor widely shared. Leveraging on existing standards like STIX and TAXII for threat intelligence exchange would benefit organisations a lot.
STIX and TAXII are standards developed in an effort to improve the prevention and mitigation of cyber-attacks. STIX states the “what” of threat intelligence, while TAXII defines “how” that information is relayed. They were also developed from a need for a threat intelligence sharing standard. Unlike previous methods of sharing, STIX is machine-readable and therefore can be easily automated. TAXII is the transportation protocol specifically designed to support the exchange of cyber threat intelligence represented in STIX.
STIX – a structured language for cyber threat intelligenceStructured Threat Information Expression (STIX) is a language for describing cyber threat information in a standardised and structured manner. The STIX specification includes structures to represent many aspects of security intelligence in practice, security incidents and others, including indicators of adversary activity (e.g., IP addresses and file hashes) as well as additional contextual information regarding threats such as threat actors, adversary tactics, techniques and procedures (TTP), exploitation targets, campaigns and courses of action. It uses CybOX as the expression language for many of the elements that STIX syntax can represent, but it can also contain information expressed in other formats. The standardisation allows security researchers and practitioners to exchange threat intelligence with much lower risk of miscommunication, and it enables certain forms of automated processing of threat intelligence items. It makes heavy use of other currently available specifications to specify formats for the data items each STIX entity contains. STIX was developed by MITRE Corporation and is now maintained by the OASIS Cyber Threat Intelligence (CTI) TC.
The Cyber Observable eXpression (CybOX) specification defines a representation for observable attributes of computer and network activities and entities. Observables include things like files, HTTP sessions, X509 certificates and others, including system configuration items. The CybOX specification essentially provides a standardised but extensible vocabulary for describing the things one may observe about a computing system and its operations. Indicators, on the other hand, are observables set in a particular context. For example, the name of a Windows registry key could be an observable. That observable having a specific value, however, could be an indicator of the presence of a threat. IP addresses represent another sort of observable, and particular ones can be indicators of malicious intent.
TAXII – Trusted Automated eXchange of Intelligence Information
Trusted Automated eXchange of Intelligence Information (TAXII) defines how cyber threat intelligence information can be shared via services and message exchanges. It is designed specifically to support STIX information, which it does by defining an API that aligns with common sharing models. The three supported models include:
- Hub and spoke – one repository of information
- Source/subscriber – one single source of information
- Peer-to-peer – multiple groups share information
It seems that TAXII only supports STIX-formatted content, but it can transport information in a wide variety of formats. However, current practice typically teams TAXII transport with STIX expression and vocabulary. While TAXII provides secure transport, it avoids policy considerations such as topology, trust issues and governance. Higher-level protocols and agreements must address the policy concerns.
SCAP– Security Content Automation Protocol
SCAP is a suite of specifications for exchanging security automation content, which was collaboratively sponsored by MITRE, NIST, NSA, DHS and FIRST (Forum of Incident Response and Security Teams). SCAP specifications are either a language (e.g., XCCDF, OVAL, OCIL), an enumeration (e.g., CCE, CVE), or a metric (e.g., CVSS, CCSS).
Security Content Automation Protocol – SCAP
The Security Content Automation Protocol (SCAP) is a suite of specifications that standardise the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans. SCAP version 1.2 requirements are defined in NIST Special Publication 800-126 Revision 2. NIST stands for National Institute of Standards and Technology, U.S. Department of Commerce.
Leveraging existing standards, STIX-based indicators can be converted to machine-actionable content in SCAP format. The process can be fully automated from indicators to actions, from amenable information to automated threat intelligence sharing
Knowledge is power but only when shared. To really keep up with threat actors, and their techniques that are getting more sophisticated every day, organisations must share their knowledge on the tactics and vulnerabilities to help themselves and others defending against attacks.
The sharing of threat intelligence should ultimately lead to tactical actions that help organisations further protect their users and infrastructure. Because the stake is high, it is important to have a seamlessly flowing process.
Threat intelligence platforms produce data and information, which analysts can use to make threat intelligence actionable. A computer can never produce threat intelligence; on the other hand, humans cannot collect and process huge volumes of threat data. Automating threat intelligence from internal and external data sources through an ecosystem of security tools and open-source intelligence (OSINT) feeds would help make and share threat intelligence in time. Adopting a common threat intelligence expression language would facilitate the sharing of threat intelligence internally among all the data systems and externally across all the partner organisations. As recent attacks have been painfully successful, the need of threat intelligence has become obvious, standards and specifications are being driven toward a convergence of threat intelligence platforms capable of acquiring, packaging, exchanging and consuming standard-based threat intelligence.
A critical aspect of cyber security is the ability to share and receive actionable threat intelligence. Those are the requirements to build and operate an automated cyber threat intelligence platform that delivers up-to-the-minute actionable threat intelligence to help identifying and prioritising vulnerabilities, and staying ahead of attacks.
(By Ass. Prof. Boning Feng, Oslo Metropolitan University, and the team at Secure 5G4IoT Lab)